Untitled

 avatar
stylingpanda
plain_text
2 months ago
8.9 kB
2
Indexable
Never
resource "aws_iam_role" "gitlab_dedicated_bamboo_agent" {
  name = "gitlab-dedicated-bamboo-agent"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = "sts:AssumeRole",
      Effect = "Allow",
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })

  inline_policy {
    name = "CopyOfBambooDeployRolePolicy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement: [
        {
          Action: [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "DeployS3Access"
        },
        {
          Action: [
            "s3:ListAllMyBuckets",
            "s3:CreateBucket"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "DeployS3BucketAccess"
        },
        {
          Action: [
            "ec2:CreateSecurityGroup",
            "ec2:DeleteSecurityGroup",
            "ec2:DescribeSecurityGroups",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupIngress"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerSecurityGroupAccess"
        },
        {
          Action: [
            "ec2:CreateImage",
            "ec2:RegisterImage",
            "ec2:DeregisterImage",
            "ec2:DescribeImages"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerAMIAccess"
        },
        {
          Action: [
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeSnapshots"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerSnapshotAccess"
        },
        {
          Action: [
            "ec2:RunInstances",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances",
            "ec2:TerminateInstances",
            "ec2:DescribeInstances",
            "ec2:CreateTags"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerInstanceAccess"
        },
        {
          Action: [
            "ec2:CreateKeyPair",
            "ec2:DeleteKeyPair",
            "ec2:DescribeKeyPairs"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerKeyPairAccess"
        },
        {
          Action: [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject*",
            "s3:DeleteObject*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerS3Access"
        },
        {
          Action: [
            "s3:ListAllMyBuckets",
            "s3:CreateBucket"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "PackerS3BucketAccess"
        },
        {
          Action: [
            "ec2:*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "EC2FullAccess"
        },
        {
          Action: [
            "ecr:*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "EcrPermissions"
        },
        {
          Action: [
            "cloudformation:*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "CloudformationPermissions"
        },
        {
          Action: [
            "backup:*",
            "backup-storage:MountCapsule",
            "kms:CreateGrant",
            "kms:GenerateDataKey",
            "kms:Decrypt",
            "kms:RetireGrant",
            "kms:DescribeKey"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "BackupVaultPermissons"
        },
        {
          Action: [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:DescribeLogStreams",
            "logs:PutMetricFilter"
          ],
          Effect: "Allow",
          Resource: [
            "arn:aws:logs:*:*:*"
          ],
          Sid: "AwsLogs"
        },
        {
          Action: [
            "iam:CreateRole",
            "iam:DeleteRolePolicy",
            "iam:GetRole",
            "iam:PutRolePolicy",
            "iam:DeleteRole",
            "iam:PassRole",
            "ecs:*",
            "eks:*",
            "elasticloadbalancing:*",
            "logs:DeleteLogGroup",
            "logs:DescribeLogGroups",
            "logs:PutRetentionPolicy",
            "autoscaling:*",
            "route53:*",
            "elasticache:*",
            "apigateway:*",
            "cloudfront:*",
            "sns:*",
            "sqs:*",
            "rds:*",
            "cloudwatch:*",
            "elasticfilesystem:*",
            "application-autoscaling:*",
            "dynamodb:*",
            "kms:Decrypt",
            "ssm:*",
            "lambda:*",
            "kafka:*",
            "acm:*",
            "events:*",
            "license-manager:*"
          ],
          Effect: "Allow",
          Resource: "*",
          Sid: "BambooExtraPermissions"
        },
        {
          Action: [
            "iam:CreateServiceLinkedRole"
          ],
          "Condition": {
            "StringEquals": {
              "iam:AWSServiceName": [
                "autoscaling.amazonaws.com",
                "ec2scheduled.amazonaws.com",
                "elasticloadbalancing.amazonaws.com",
                "eks.amazonaws.com",
                "spot.amazonaws.com",
                "spotfleet.amazonaws.com",
                "transitgateway.amazonaws.com"
              ]
            }
          },
          Effect: "Allow",
          Resource: "*",
          Sid: "eksCreateServiceRoles"
        },
        {
          Action: [
            "ssm:GetParameter",
            "ssm:GetParameters"
          ],
          Effect: "Allow",
          Resource: [
            "arn:aws:ssm:*:336837717482:parameter/aws/*",
            "arn:aws:ssm:*::parameter/aws/*"
          ],
          Sid: "eksSsmParameterAccess"
        },
        {
          Action: [
            "iam:CreateInstanceProfile",
            "iam:DeleteInstanceProfile",
            "iam:GetInstanceProfile",
            "iam:RemoveRoleFromInstanceProfile",
            "iam:GetRole",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:AttachRolePolicy",
            "iam:PutRolePolicy",
            "iam:ListInstanceProfiles",
            "iam:AddRoleToInstanceProfile",
            "iam:ListInstanceProfilesForRole",
            "iam:PassRole",
            "iam:DetachRolePolicy",
            "iam:DeleteRolePolicy",
            "iam:GetRolePolicy",
            "iam:GetOpenIDConnectProvider",
            "iam:CreateOpenIDConnectProvider",
            "iam:DeleteOpenIDConnectProvider",
            "iam:ListAttachedRolePolicies",
            "iam:TagRole"
          ],
          Effect: "Allow",
          Resource: [
            "arn:aws:iam::336837717482:instance-profile/eksctl-*",
            "arn:aws:iam::336837717482:role/eksctl-*",
            "arn:aws:iam::336837717482:oidc-provider/*",
            "arn:aws:iam::336837717482:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
            "arn:aws:iam::336837717482:role/eksctl-managed-*"
          ],
          Sid: "eksIamPermissions"
        },
        {
          Action: [
            "kinesis:*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "KinesisFullPermissions"
        },
        {
          Action: [
            "states:*"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "StepfunctionPermissions"
        },
        {
          Action: [
            "secretsmanager:DescribeSecret",
            "secretsmanager:Get*",
            "secretsmanager:Create*",
            "secretsmanager:Put*",
            "secretsmanager:Update*",
            "secretsmanager:List*",
            "secretsmanager:TagResource",
            "secretsmanager:UntagResource",
            "secretsmanager:DeleteSecret"
          ],
          Effect: "Allow",
          Resource: [
            "*"
          ],
          Sid: "SecretsmanagerPermissions"
        },
        {
          Action: [
            "ecr-public:GetAuthorizationToken",
            "sts:GetServiceBearerToken"
          ],
          Effect: "Allow",
          Resource: "*",
          Sid: "loadPublicEcr"
        }
      ]
    })
  }
}
Leave a Comment